WaTrojan: Wavelet domain trigger injection for backdoor attacks

Abstract

Backdoor attacks have been proven to pose effective threats to deep neural networks in various domains, such as biometrics, authentication, and autonomous driving. Attackers compromise the integrity of the model, causing it to behave normally on benign samples under normal circumstances but perform attacker-specified actions on samples containing specific triggers. However, existing attack methods often suffer from two main drawbacks: permissions and concealment. While some attack methods may not require high levels of permissions from the attacker, the triggers are typically visible to the naked eye, significantly reducing the attack's concealment and making it susceptible to detection by existing defense mechanisms. Although many advanced attack methods enhance concealment, they often necessitate control over the model's training process, thereby significantly limiting the practical applicability of the attack. To circumvent the two aforementioned drawbacks, we propose a novel backdoor attack method called WaTrojan, which implements the attack by adding triggers in the wavelet domain. The key to this attack lies in adding perturbations to the wavelet domain of an image, thereby altering the entire spatial domain of pixels. This approach challenges many assumptions of existing defense methods and makes poisoned images nearly indistinguishable from clean images visually. We evaluate WaTrojan on five benchmark datasets, including MNIST, CIFAR-10, GTSRB, CelebA, and ImageNet. The results indicate that our attack achieves an extremely high attack success rate while causing almost no drop in accuracy on benign samples. The visual quality of the poisoned images is high, with little perceptual difference from benign images. Furthermore, we assess the performance of WaTrojan under existing defense measures, and the results show that WaTrojan is robust and can significantly evade and resist the impacts generated by these defense measures.